如何使用.NET Core Web应用程序分发数据保护密钥? [英] How does one distribute Data Protection keys with a .NET Core web app?
问题描述
我不清楚数据保护密钥在Web场环境中如何工作。我没有所有服务器都可以使用的通用位置(并且不想处理权限)。因此,我想生成一个密钥并将其与网络应用程序一起分发。
I am a bit unclear on how Data Protection keys work in a web farm environment. I don't have a common location that all servers can use (and don't want to deal with permissions). Therefore I'd like to generate a key and distribute it with the web application.
我正在执行以下操作,但不确定是否正确。因此,我在开发人员计算机上本地生成了一个密钥文件,该密钥文件如下:
I am doing the following, but not sure if that is right. So I generate a key file locally on my dev pc with:
var specialFolder = Environment.SpecialFolder.CommonApplicationData;
var appDataPath = Path.Combine(
Environment.GetFolderPath(specialFolder),
"company",
"product"
);
services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(appDataPath));
这将创建 key-some-guid.xml 文件。然后,我使用Web应用程序分发此文件。
This creates a key-some-guid.xml file. I then distribute this file with my web application.
现在,当我运行Web应用程序时,在Startup.Configure服务中,将此文件复制到 appDataPath 位置(如上定义),然后调用 services.AddDataProtection()。PersistKeysToFileSystem(new DirectoryInfo(appDataPath)); 。
Now, when I run my web app, in the Startup.Configure services, copy this file to the appDataPath location (defined above) and call services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(appDataPath));.
那行得通吗?还是我根本上缺少什么?
Will that work? Or am I fundamentally missing something?
推荐答案
回答我自己的问题。以下内容似乎适用于整个Web场。从Startup.ConfigureServices调用以下方法。假定该密钥(在开发计算机上生成)位于项目根目录下的Keys文件夹中。
Answering my own question. The following seems to work across a web farm. Call the method below from Startup.ConfigureServices. It assumes that the key (that was generated on a dev machine) resides in the Keys folder off the root of the project.
public Startup(IHostingEnvironment env)
{
/* skipping boilerplate setup code */
Environment = env;
}
private IHostingEnvironment Environment { get; set; }
private void ConfigureDataProtection(IServiceCollection services) {
// get the file from the Keys directory
string keysFile = string.Empty;
string keysPath = Path.Combine(Environment.ContentRootPath, "Keys");
if (!Directory.Exists(keysPath)) {
Log.Add($"Keys directory {keysPath} doesn't exist");
return;
}
string[] files = Directory.GetFiles(keysPath);
if (files.Length == 0) {
LLog.Add($"No keys found in directory {keysPath}");
return;
} else {
keysFile = files[0];
if (files.Length >= 2) {
LLog.Add($"Warning: More than 1 key found in directory {keysPath}. Using first one.");
}
}
// find and optionally create the path for the key storage
var appDataPath = Path.Combine(
System.Environment.GetFolderPath(System.Environment.SpecialFolder.CommonApplicationData),
"companyName",
"productName"
);
if (!Directory.Exists(appDataPath)) {
try {
Directory.CreateDirectory(appDataPath);
} catch (Exception ex) {
Log.Add($"Error creating key storage folder at {appDataPath}. Error: {ex.Message}");
return;
}
}
// delete any keys from the storage directory
try {
foreach (var file in new DirectoryInfo(appDataPath).GetFiles()) file.Delete();
} catch (Exception ex) {
Log.Add($"Error deleting keys from {appDataPath}. Error: {ex.Message}");
return;
}
try {
string targetPath = Path.Combine(appDataPath, new FileInfo(keysFile).Name);
File.Copy(keysFile, targetPath, true);
} catch (Exception ex) {
Log.Add($"Error copying key file {keysFile} to {appDataPath}. Error: {ex.Message}");
return;
}
// everything is in place
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(appDataPath))
.DisableAutomaticKeyGeneration();
}
这篇关于如何使用.NET Core Web应用程序分发数据保护密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
